实践tcpdump

Posted on | In | Visitors

安装tcpdump

1
sudo yum install tcpdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 指定网卡
$ sudo tcpdump -i eth0
# 指定远程主机(包括出和入)
$ tcpdump host 182.254.38.55
# 指定来源
$ tcpdump src host hostname
# 指定目标
$ tcpdump dst host hostname
# 指定协议
$ tcpdump tcp
$ tcpdump udp
# 指定端口和远程主机
$ tcpdump tcp port 22 and src host 123.207.116.169
# 指定主机间通讯
$ tcpdump ip host 210.27.48.1 and 210.27.48.2
# 指定主机间(排除)的通讯
$ tcpdump ip host 210.27.48.1 and ! 210.27.48.2

查看http get请求

服务端开启抓取

1
2
# http服务端口8080
sudo tcpdump -s 0 -A 'tcp dst port 8080 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

例如客户端发送请求:

1
1
curl http://192.168.1.192:8080

服务端抓取到的请求:

1
2
3
4
5
6
14:19:20.778839 IP localhost.43464 > dev-1-192.webcache: Flags [P.], seq 3822944402:3822944484, ack 3776879275, win 229, options [nop,nop,TS val 190032178 ecr 190035300], length 82: HTTP: GET / HTTP/1.1
E...).@.@............................J.....
.S.2.S.dGET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 192.168.1.192:8080
Accept: */*

查看http post请求

服务端开启抓取

1
2
3
4
# http服务端口8080
sudo tcpdump -s 0 -A 'tcp dst port 8080 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

例如客户端发送请求:

1
curl -d {a:2} --header 'Content-Type: application/json' --header 'Accept: application/json' 'http://192.168.1.192:8080/test/test?param=%E6%B5%8B%E8%AF%95'

服务端抓取到的请求:

1
2
3
4
5
6
7
8
9
10
14:07:25.020808 IP localhost.59674 > dev-1-192.webcache: Flags [P.], seq 1560189760:1560189946, ack 4125247513, win 229, options [nop,nop,TS val 189316420 ecr 189319542], length 186: HTTP: POST /test/test?param=%E6%B5%8B%E8%AF%95 HTTP/1.1
E...&~@.@...............\..@..H............
.H.D.H.vPOST /test/test?param=%E6%B5%8B%E8%AF%95 HTTP/1.1
User-Agent: curl/7.29.0
Host: 192.168.1.192:8080
Content-Type: application/json
Accept: application/json
Content-Length: 5

{a:2}

查看http请求响应头和数据

-A

ascii显示

服务端开启抓取

1
$ sudo tcpdump -A -s 0 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

例如客户端发送请求:

1
$ curl -d {a:2} --header 'Content-Type: application/json' --header 'Accept: application/json' 'http://192.168.1.192:8080/test/test?param=%E6%B5%8B%E8%AF%95'

服务端抓取到请求和响应头和数据:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
14:13:14.418281 IP localhost.37450 > dev-1-192.webcache: Flags [P.], seq 4004625854:4004626040, ack 727172332, win 229, options [nop,nop,TS val 189665817 ecr 189668939], length 186: HTTP: POST /test/test?param=%E6%B5%8B%E8%AF%95 HTTP/1.1
E.....@.@............J......+W.............
.N...N.KPOST /test/test?param=%E6%B5%8B%E8%AF%95 HTTP/1.1
User-Agent: curl/7.29.0
Host: 192.168.1.192:8080
Content-Type: application/json
Accept: application/json
Content-Length: 5

{a:2}
14:13:14.436945 IP dev-1-192.webcache > localhost.37450: Flags [P.], seq 1:231, ack 186, win 235, options [nop,nop,TS val 189668959 ecr 189665817], length 230: HTTP: HTTP/1.1 200 
E.....@.@..j...........J+W.....x...........
.N._.N..HTTP/1.1 200 
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 15 Nov 2019 06:13:14 GMT

60
{"status":"OK","message":"......:...............","total":0,"rows":[],"params":null,"code":2000}

14:13:14.437295 IP dev-1-192.webcache > localhost.37450: Flags [P.], seq 231:236, ack 186, win 235, options [nop,nop,TS val 189668959 ecr 189665817], length 5: HTTP
E..9..@.@..J...........J+W.....x...........
.N._.N..0

-X

ascii和hex显示

服务端开启抓取

1
sudo tcpdump -X -s 0 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

例如客户端发送请求:

1
1
curl http://192.168.1.192:8080

服务端抓取到请求和响应头和数据:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
14:25:09.317590 IP localhost.48484 > dev-1-192.webcache: Flags [P.], seq 2214025441:2214025523, ack 4192160721, win 229, options [nop,nop,TS val 190380717 ecr 190383838], length 82: HTTP: GET / HTTP/1.1
	0x0000:  4500 0086 a24d 4000 4006 1353 c0a8 01c1  E....M@.@..S....
	0x0010:  c0a8 01c0 bd64 1f90 83f7 58e1 f9df 4bd1  .....d....X...K.
	0x0020:  8018 00e5 854a 0000 0101 080a 0b58 faad  .....J.......X..
	0x0030:  0b59 06de 4745 5420 2f20 4854 5450 2f31  .Y..GET./.HTTP/1
	0x0040:  2e31 0d0a 5573 6572 2d41 6765 6e74 3a20  .1..User-Agent:.
	0x0050:  6375 726c 2f37 2e32 392e 300d 0a48 6f73  curl/7.29.0..Hos
	0x0060:  743a 2031 3932 2e31 3638 2e31 2e31 3932  t:.192.168.1.192
	0x0070:  3a38 3038 300d 0a41 6363 6570 743a 202a  :8080..Accept:.*
	0x0080:  2f2a 0d0a 0d0a                           /*....
14:25:09.393676 IP dev-1-192.webcache > localhost.48484: Flags [P.], seq 1:247, ack 82, win 227, options [nop,nop,TS val 190383915 ecr 190380717], length 246: HTTP: HTTP/1.1 404 
	0x0000:  4500 012a 4d0f 4000 4006 67ed c0a8 01c0  E..*M.@.@.g.....
	0x0010:  c0a8 01c1 1f90 bd64 f9df 4bd1 83f7 5933  .......d..K...Y3
	0x0020:  8018 00e3 85ee 0000 0101 080a 0b59 072b  .............Y.+
	0x0030:  0b58 faad 4854 5450 2f31 2e31 2034 3034  .X..HTTP/1.1.404
	0x0040:  200d 0a43 6f6e 7465 6e74 2d54 7970 653a  ...Content-Type:
	0x0050:  2061 7070 6c69 6361 7469 6f6e 2f6a 736f  .application/jso
	0x0060:  6e3b 6368 6172 7365 743d 5554 462d 380d  n;charset=UTF-8.
	0x0070:  0a54 7261 6e73 6665 722d 456e 636f 6469  .Transfer-Encodi
	0x0080:  6e67 3a20 6368 756e 6b65 640d 0a44 6174  ng:.chunked..Dat
	0x0090:  653a 2046 7269 2c20 3135 204e 6f76 2032  e:.Fri,.15.Nov.2
	0x00a0:  3031 3920 3036 3a32 353a 3039 2047 4d54  019.06:25:09.GMT
	0x00b0:  0d0a 0d0a 3730 0d0a 7b22 7469 6d65 7374  ....70..{"timest
	0x00c0:  616d 7022 3a22 3230 3139 2d31 312d 3135  amp":"2019-11-15
	0x00d0:  2031 343a 3235 3a30 3922 2c22 7374 6174  .14:25:09","stat
	0x00e0:  7573 223a 3430 342c 2265 7272 6f72 223a  us":404,"error":
	0x00f0:  224e 6f74 2046 6f75 6e64 222c 226d 6573  "Not.Found","mes
	0x0100:  7361 6765 223a 224e 6f20 6d65 7373 6167  sage":"No.messag
	0x0110:  6520 6176 6169 6c61 626c 6522 2c22 7061  e.available","pa
	0x0120:  7468 223a 222f 227d 0d0a                 th":"/"}..
14:25:09.394075 IP dev-1-192.webcache > localhost.48484: Flags [P.], seq 247:252, ack 82, win 227, options [nop,nop,TS val 190383916 ecr 190380717], length 5: HTTP
	0x0000:  4500 0039 4d10 4000 4006 68dd c0a8 01c0  E..9M.@.@.h.....
	0x0010:  c0a8 01c1 1f90 bd64 f9df 4cc7 83f7 5933  .......d..L...Y3
	0x0020:  8018 00e3 84fd 0000 0101 080a 0b59 072c  .............Y.,
	0x0030:  0b58 faad 300d 0a0d 0a                   .X..0....

参考

使用tcpdump查看HTTP请求响应

Linux tcpdump命令详解

Linux基础:用tcpdump抓包

A tcpdump Tutorial with Examples — 50 Ways to Isolate Traffic